Insight

The intel on risk intelligence

Harnessing automation and advanced analytics to drive effective data technology risk intelligence

Luke Nelson

Luke Nelson

Managing Director, Technology Risk Management, KPMG LLP

Business leaders in organizations across geographies and industries are accelerating the pace of new investments in innovative enterprise technologies that are transforming every aspect of their operations. This has given rise to new technology-enabled business strategies that are leaving an indelible mark on how people and processes are managed to alter—and enhance—the value proposition that organizations bring to market. 

The introduction of new systems platforms, however, does not mean that legacy technologies and infrastructures are completely replaced. As a result, business and technology executives are left to manage an increasingly complex environment that is constantly evolving.

As this dynamic environment evolves, so does the threat, risk and vulnerability landscape. Understanding key dependencies, potential single points of failure and other factors that can manifest themselves to disrupt—or derail—business operations is emerging as a critical discipline and competency for organizations.

That is where technology risk intelligence comes in, according to Luke Nelson, a Managing Director with KPMG’s Technology Risk Management practice. Click on each question to better understand the role technology risk intelligence can play in ensuring effective, efficient and continuous business operations in today’s dynamic global digital environment.

By creating an accurate model—based on financial impact—of all identifiable threats, risks and vulnerabilities, organizations can develop an accurate understanding on how to determine the best return on investment from risk mitigation activities.

What is technology risk intelligence, and how can it help organizations manage potential risks enterprise operations?

Over the last several years, traditional thinking surrounding technology risk management has shifted from simply focusing on identifying risks that can disrupt operations to quantifying the financial impact that different risks and threats have on organizations. It represents a recognition that all risks and threats are not alike. It also reflects a more nuanced understanding about how to prioritize the way risks are identified and managed. The most obvious risks are not often the ones that have the highest potential for causing damage. Indeed, we have found that seemingly innocuous vulnerabilities can carry outsized consequences, based on the interdependencies to which they may be connected.  

KPMG has developed offerings and services that provide organizations with a clear and in-depth picture of how technology risks can adversely affect an organization by leveraging emerging technologies like artificial intelligence, intelligent automation, advanced modeling capabilities, and natural language processing. This is critical to getting the best return on investments from risk-mitigation efforts. 

 

Has risk mitigation not been weighted properly in years previous?

In many ways risk mitigation has often been more of an art than a science. Historically, risk managers and security professionals have identified threats and vulnerabilities and then applied their own experience and expertise to determine what, when and how to take the steps to mitigate them.

This has really been their only option, because there has not been a way to fully understand the consequence of an exploitation unless it has occurred before. There have been few resources for understanding the full implications of a vulnerability before it plays out.

Moreover, it has been difficult to engage in an apples-to-apples comparison when analyzing risk. Much of the conversation, to date, has focused on the odds of an event and the disruptions that it would cause from an operational standpoint. So, for instance, when assessing the technology risks in systems that support an HR operation, analysts have focused on determining how disruption might derail day-to-day workflows—and even the amount of personal information would be compromised. 

A separate analysis of technology risks to a manufacturing process might explore how exploited vulnerabilities can interrupt an assembly process. The list of technology risks goes on and on, and with it grows the complexity associated with trying to accurately compare the impact of disruptive events on the organization.

It turns out that the best way to begin the analysis is to standardize all risk analytics metrics on the one attribute that they share in common: money.

By creating an accurate model—based on financial impact —of all identifiable threats, risks and vulnerabilities, organizations can develop an accurate understanding on how to determine the best return on investment from risk mitigation activities.

Why is this aspect of risk intelligence materializing at this point in time as opposed to...say...five years ago?

As enterprises engage with shared services providers more and more and build ever increasingly complex digital capabilities, technology risk increasingly comes to the fore as a requirement necessary to remain competitive in the marketplace. 

The difference between five years ago and today is we can now feed historical loss data into a model and draw insights that help align technology risk to exposure reduction.

Moreover, organizations are escalating time tables for new technology initiatives. Decision makers are therefore under pressure to incorporate a much more proactive stance on managing the risks that come with changes to the business environment.

Whether an initiative is focused on increasing distribution channels or improving customer outreach, enterprises are discovering that legacy technology needs to be upgraded to a modern, technology environment, or at least integrated with these new platforms.

Leadership is rightfully concerned about the risk profile of new technologies coming into the business, even as they focus on the opportunities that new technologies present. 

What role does technology risk intelligence play in business continuity and operational resilience?

There is a two-fold value that technology risk intelligence brings to activities that serve business continuity and resilience.

  • The first is that technology risk intelligence actually provides organizations with more confidence in mitigation activities, ensuring that the right efforts are being brought to bear in supporting the correct services to ensure resilience.
  • Second, it provides context for how decision-makers decide to shore up business continuity strategies. When there are major shifts in technology infrastructure -- such as moving workloads from legacy on-premises data centers to cloud environments -- changes also have to be made to the strategies that are designed to keep the business running.

Technology risk intelligence enables leadership to have a full understanding of how these types of changes will alter the risk profile for the business. Executives will have better sense of the necessary steps to take to reduce risk exposure once new technologies have been implemented. 

How should organizations begin applying technology risk intelligence into their risk functions?

There are a few foundational aspects that organizations have to have in place to get started:

  1. Take careful inventory of the current technology estate so that they can have a robust technology risk taxonomy. This serves as the bedrock for building the enterprise technology infrastructure forward. It allows organizations to establish asset inventory and control frameworks, which are also important to standing up a technology risk intelligence program.
  2. Thoroughly understand the incident management process across the enterprise to ascertain potential data loss concerns so that new—and better—business models and financial impact analysis frameworks can be developed.
  3. Carefully think through their needs and requirements for capturing, analyzing and reporting currently manifested and potential risks. Effective communication of technology risk assessments must reach the layer of leadership in order to have a meaningful impact. All too often, risk reporting tools are used only by security or risk managers. This deprives senior leaders of insights that can improve the decisions that they make. 

What part of the organization should own technology risk intelligence?

The conversation of which department owns the technology risk is beginning to shift. In the past, technology risk may have been an issue that was addressed by leaders and departments responsible for enterprise technology procurement and implementation. As enterprises increasingly adopt new capabilities—such as automation of underlying technological infrastructures—it is increasingly understood that the technology platform can drive organizations towards desired business outcomes. This is bringing line of business executives and strategic planning teams into the equation.

Why? If decision makers are going to make big bets on transformation based on technology, they will have to proactively identify the potential risks before they: sign off on strategies; design new processes; and select new technologies.

Moreover, an intimate understanding of technology risk can also offer more accurate insight into the sort of returns—or cost savings—they can expect from decisions they make. Having a clear understanding of technology risk provides the clarity needed for leaders to move forward with technology-enabled transformation strategies with higher levels of confidence.

Do you have an example or scenario of an institutional deployment of technology risk intelligence that you can share?

Recently we worked with a large, global financial services institution to leverage technology risk data so that the organization achieved its strategic goals. Much of the strategy involved implementing new technologies, and KPMG was able to guide the leadership team by providing insight into how technology—and its associated risks—would evolve over a three to five year timeline. The conversation focused on the financial effects of improving technology platforms through this strategic time frame. 

KPMG brought its technology risk intelligence platform to bear on this engagement to provide the institution with a clear picture of the interrelationships between various applications and assets. We were able to illustrate how all of these complex elements connected and interacted with the operations of the different business units.

The technology risk executives of this global financial institution were better able to report on spending attached to risk reduction, and provide their leadership with a clear picture of how much investment would be needed to meet key strategic objectives.

The CEO was impressed with the engagement. It provided him with a much clearer perspective on how to track returns on investment in technology in a risk adjusted manner.

It altered the strategic thinking of the leadership team and enabled the organization to accelerate the process of transforming the organization to meet changing demands in the market.

The implementation of KPMG’s technology risk platform and the insights provided by the engagement encouraged the CEO to pursue new initiatives more quickly. It demonstrated the value of KPMG’s technology risk intelligence platform as an enabler for organizations that have to truly understand the risk/reward variables as they execute their business transformation strategies. 

 

Want to know more? Contact Luke Nelson

 

KPMG Tech Risk Intelligence in action

A multinational company leveraged KPMG Tech Risk Intelligence and saved over $13 million in revenue by reducing technology risk.